Activation script by Rifke

This is guide mostly for website tools and code, for example CMS or registration scripts.
There can also be tools.

Moderators: osRose dev team, ospRose dev team, osiRose dev team, Moderators

Activation script by Rifke

Postby rl2171 on Tue Aug 07, 2007 11:44 pm

Activation script by Rifke
********************************************

How to write an activation script.
This tutorial is made to give you an idea on how to manage an activation script. It gives you the idea, with code examples. But it's upto you to implent in your system. Or you can use this to write one on your own.



The idea behind a activation script.
Improved security
Less unused accounts
Increased amounts of valid accounts
(I know there are more but I can't think of any at the moment)
The basic idea
A use registers his/her accounts, and wich is normaly the case in a regular CMS-System it only requires a username and password. Or even some users are too lazy to use a CMS-system and they use the ugliest way of register an accounts wich is ingame. ( I totaly hate those servers, because they don't show anything of a decent crew.)

To continue, the requested data is only a username and password. So much for password retrieval. (Password retrieval can be added later on.)
So their basic script looks like this.

  1.  
  2. $sql  = " INSERT INTO accounts (username,password) VALUES ('".$username."','".$password."') ";
  3. $qry = @mysql_query($sql);
  4. if ( $qry === false )
  5.  {
  6.     echo 'Sorry, but the registration proccess has failed. Please try again.';
  7. }
  8.  else
  9.  {
  10.     echo "Congratulations, you're now owner of '.$username.'. Welcome to our comunity.<br />";
  11. }
  12.  


A user can have unlimeted accounts, not that you don't care, but those accounts can be sold quite fast. (Extreame case)

But you can create a new table. Or alert the accounts table and add a couple of fields extra. It's upto you. I'm going to handle the new table. Because this one doesn't require a complete remake when the project updates their databases.

Your SQL statement will look like this.
  1.  
  2. SQL
  3. CREATE TABLE `activation` (
  4. `username` varchar(80) NOT NULL,
  5. `password` varchar(32) NOT NULL,
  6. `email` varchar(255) NOT NULL,
  7. `verifycation` varchar(42) NOT NULL,
  8. `expires` datetime NOT NULL,
  9. `created` datetime NOT NULL,
  10. `active` int(1) NOT NULL DEFAULT '0',
  11. `activated` datetime DEFAULT NULL,
  12. KEY `username` (`username`,`password`,`email`)
  13. ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
  14.  


You can create an additional script with the following code. (still within the registration page)


  1.  
  2. $sql = "INSERT INTO accounts (username,password,email,active) VALUES ('".$username."','".$password."','".$email."',0) ";
  3. $qry = @mysql_query($sql);
  4. if ( $qry === false ) {
  5.     echo 'Sorry, but the registration proccess has failed. Please try again.';
  6. } else {
  7.     // the query passed the first insert. Up the the next one. the activation
  8.     // We will create a random hash wich will be send by email to the user.
  9.     $RandomHash = sha1(rand(-9999999999,9999999999)); // I think this will be a large enough interval.
  10.     // Now we add date to our new table
  11.     $sql = "INSERT INTO activation (username,password,email,verifycation,expires,created,active)
  12.         VALUES ('".$username."','".$password."','".$email."',DATE_ADD(NOW(), INTERVAL 1 DAY),NOW(),0)";
  13.     $qry = @mysql_query($sql);
  14.     if ( $qry === false ) {    
  15.         // sh*t it failed.... Now we'll have to delete the previous insert into the accounts table. And hope it doesn't fail either.
  16.         $sql = "DELETE FROM accounts WHERE username='".$username."'
  17.         $qry = @mysql_query($sql);
  18.         if ( $qry === false ) {    
  19.             // This is realy bad
  20.             echo 'We are sorry but there went something wrong with our database. Please send an email to <info@yourwebsite.com> with the following information regaring this problem. <br />
  21.                 Code error: #0001 <br />
  22.                 Account: '.$username.' <br />
  23.                 Error encounted: '. date(Y-m-d H:i:s) . ';
  24.         }
  25.     } else {
  26.         // Luckely it there wasn't any problem.
  27.         // Now we have added information to both tabels now it's time to send the email. I know you all are femeliure wit the mail function if not check http://be.php.net/mail
  28.         // Don't forget to add the hash to the email to like: To activate your account click <a href="http://www.yoursite.com/index.php?page=activation&amp;h='.$randomash.'">here</a>
  29.     }
  30.        
  31. }
  32.  



We have written our registration page, now it's time to proceed with the activation.

In our activation-page we write.

  1.  
  2. $a_hash = trim($_GET['h']);
  3. if ( strlen($a_hash) == 40 ) {
  4. die ("Invalid activation attempt.");
  5. }
  6.  
  7. // Check for invalid hash is complete. Damn those h4x0rs ^^
  8.  
  9. // The hash is 'valid', and we show a form where the user enters his username & password wich gets submitted. I won't write it for you. Just do not forget the add a hidden field for the activation hash.
  10.  
  11.  
  12. // Change the values to the onces matches yours.
  13.  
  14. if ( $_SERVER['REQUEST_METHOD'] == "POST" && isset($_POST['activate']) ) {
  15.     // You trow some user input security in it.
  16.  
  17.     // Now it's time to check your data.
  18.     $sql = "SELECT username,password,active,activated FROM activation WHERE verifycation='".$verifycation_hash."' ";
  19.     $qry = @mysql_query($sql);
  20.     if ( $qry === false ) {    
  21.         echo "Sorry we could not activate your account. Contact an administrator about this problem.";
  22.     } else {
  23.         // no errors in the query, check if theere were any results.
  24.         if ( mysql_num_rows($qry) == 1 ) {
  25.             // No faults and it does exits.
  26.             // We check if it's already activated.
  27.             $ActvArr = mysql_fetch_assoc($qry);
  28.             if ( $ActvArr['active'] == 1) {
  29.                 // We say when it is activated, but we don't tell if the username/password or anything matches. (The h4x0r thinks it will)
  30.                 echo 'This account is activated at: '.$ActvArr['activated']. ' <br />';
  31.             } elseif ( $ActvArr['username'] != $username ) {
  32.                 // I personaly don't think the user should know wich of the two is false, it could be a hacker.
  33.                 echo 'invalid combination username / password. <br />';
  34.             } elseif ( $ActvArr['password'] != $password ) {
  35.                 // I personaly don't think the user should know wich of the two is false, it could be a hacker.
  36.                 echo 'invalid combination username / password. <br />';
  37.             } else {
  38.                 // Because it passed the previous tests I assume the information entered is valid.
  39.                 // We update both tabels.
  40.                 $sql = "UPDATE accounts SET active='1' WHERE username='".$username."' ";
  41.                 $qry = @mysql_query($sql);
  42.                 if ( $qry === false ) {    
  43.                     // Mmm That's a b*tch :D
  44.                     echo 'Sorry but we could not activate your account. Please try it again later.';
  45.                 } else {
  46.                     // Update the activation table also... This one isn't so bad if it fails. But should be reported also
  47.                     $sql = "UPDATE activation SET active='1',activated=NOW() WHERE username='".$username."' ";
  48.                     $qry = @mysql_query($sql);
  49.                     if ( $qry === false ) {    
  50.                         echo "We have failed to update our activation list. Your account is already active, but our list isn't updated. Please contact an adminstrator, to make sure your account doesn't get deleted during clean up.";
  51.                     } else {
  52.                         echo "Your account has been successfully activated. No problems encountered. <br />";
  53.                     }
  54.                 }
  55.             }
  56.            
  57.         } else {
  58.             echo "Sorry but the hash that's provided does not exits in our dataase. Please contact an adminstrator.";
  59.         }    
  60.     }
  61.  
  62. } else {
  63.     // Here you show your activation form.
  64. }
  65.  
  66.  
  67.  
  68.  
  69.  




I hope this piece of information was usefull to someone. I haven't got into much detail, because I want people to concider PHP & MySQL as serious language, not something to copy-paste, without knowing how it works. So somethings you'll have to come up with our own ideas, or adjust it to your thinks you have inserted. Hope the people who do know the PHP & MySQL-language, will have no problem converting this piece of code in a fully and operation scrip.
I mean it does work, but the information as from field & $_POST data has been cut-out .

Activation Script version 2

Inserting upon valid hash

Most of the code will be simular.

Inside the registration page

  1.  
  2. if ( $_SERVER['REQUEST_METHOD'] == "POST" && isset($_POST['register']) ) {
  3.     // You have secured your variables & some other security.
  4.     $VerifycationHash = sha1(rand(-9999999999,9999999999));
  5.     $RegSQL = "INSERT INTO
  6.                     activation
  7.                     (username,password,email,verifycation,expires,created)
  8.                 VALUES
  9.                     ('".$username."','".$password."','".$email."','".$VerifycationHash."',DATE_ADD(NOW(),INTERVAL 1 DAY),NOW())
  10.                 ";
  11.     $RegQRY = @mysql_query($RegSQL);
  12.     if ( $RegQRY === false ) {
  13.         echo 'Sorry, but registration of your account has failed.';
  14.     } else {
  15.         // Don't forget to add the hash to the email to like: To activate your account click <a href="http://www.yoursite.com/index.php?page=activation&amp;h='.$randomash.'">here</a>        
  16.     }
  17. } else {
  18.     // Show registration fields.
  19. }
  20.  


Inside the activation page


  1.  
  2. if ( $_SERVER['REQUEST_METHOD'] == "POST" && isset($_POST['activate']) ) {
  3.     // You have secured your variables & some other security.
  4.     $ActSQL = "    SELECT
  5.                     username,password,email,active,activated
  6.                 FROM
  7.                     activation
  8.                 WHERE
  9.                     verifycation='".$hash."'
  10.                 ";
  11.     $ActQRY = @mysql_query($ActSQL);
  12.     if ( $ActQRY === false ) {
  13.         echo 'Sorr, but we could not activate your account.';
  14.     } else {
  15.         if ( mysql_num_rows($ActQRY) != 0 ){
  16.             $ActArr = mysql_fetch_assoc($ActQRY);
  17.             if ( $ActArr['active'] == 1) {
  18.                 echo 'This account has been activated at '.$ActArr['activated']. '<br />';
  19.             } else {
  20.                 // More checks
  21.                 if ( ($ActArr['username'] == $username) && ($ActArr['password'] == $password) ) {
  22.                     // everything is fine.
  23.                     $AccSQL = "INSERT INTO accounts SET (username,password,email,active)
  24.                                 VALUES ('".$username."','".$password."','".$ActArr['email']."',1)
  25.                                 ";
  26.                     $AccQRY = @mysql_query($AccSQL);
  27.                     if ( $AccQRY === false ) {
  28.                         echo ' Sorry but the activation has failed.';
  29.                     } else {
  30.                         @mysql_query("UPDATE activation SET active='1',activated=NOW() WHERE verifycation='".$hash."' ");
  31.                         echo ' Your account has been activated. Welcome to our comunity.';
  32.                     }
  33.                 } else {
  34.                     echo 'Username / password doesn't match.';
  35.                 }
  36.             }
  37.         } else {
  38.             echo 'Sorry, but we could not match any results with our activation list.';
  39.         }
  40.     }
  41.  
  42. } else {
  43.     /* activation form built
  44.     *    username     (text)
  45.     *    password     (password)
  46.     *    hash        (hidden)
  47.     */
  48. }
  49.  
  50.  
Image
rl2171
Admin
Admin
 
Posts: 1706
Joined: Mon Aug 06, 2007 5:17 pm
Location: Sacramento, CA USA - GMT-8

Re: Activation script by Rifke

Postby Rifke on Thu Aug 09, 2007 3:04 pm

Thanks for reposting. Found out the new forum link via via.
Rifke
Pero pero
Pero pero
 
Posts: 719
Joined: Thu Aug 09, 2007 3:01 pm
Location: Belgium

Re: Activation script by Rifke

Postby Drkpanoz on Thu Aug 09, 2007 6:58 pm

You make great tutorials :) +k (too bad it doesn't exist :o) :P
Drkpanoz
Jelly Bean
Jelly Bean
 
Posts: 11
Joined: Thu Aug 09, 2007 6:38 pm

Re: Activation script by Rifke

Postby lmame on Thu Aug 09, 2007 6:59 pm

Drkpanoz wrote:You make great tutorials :) +k (too bad it doesn't exist :o) :P

What doesn't exist? :geek:
The world is full of love and peace ^_^
Image
User avatar
lmame
Admin
Admin
 
Posts: 8997
Joined: Mon Aug 06, 2007 4:42 pm
Location: July City

Re: Activation script by Rifke

Postby Drkpanoz on Thu Aug 09, 2007 7:01 pm

lmame wrote:
Drkpanoz wrote:You make great tutorials :) +k (too bad it doesn't exist :o) :P

What doesn't exist? :geek:

A karma system. When someone does something or makes something really nice, people can give karma. You can 'judge' how good or experienced someone is by how much karma they have. There might by a phpBB3 plugin for it, I have absolutely no idea. :)
Drkpanoz
Jelly Bean
Jelly Bean
 
Posts: 11
Joined: Thu Aug 09, 2007 6:38 pm

Re: Activation script by Rifke

Postby lmame on Thu Aug 09, 2007 7:13 pm

I'll wait a litle for that, for the definitive version of phpbb :)
The world is full of love and peace ^_^
Image
User avatar
lmame
Admin
Admin
 
Posts: 8997
Joined: Mon Aug 06, 2007 4:42 pm
Location: July City


Return to PHP / Web Guides, Scripts and tools.

Who is online

Users browsing this forum: No registered users and 13 guests